FWIW 5.0 has been out for a bit and addresses this vuln.

Also, here is actual info about the vuln: https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi...

When 5.0 was released the comments were full of people saying they had forgotten about the pi hole they were using.

I bet most installs are running very old software.

That tends to happen with 'it just works' solutions, until it either doesn't or causes some other problem

This is a different vuln CVE-2020-11108

Hmmm, at least its still for an outdated version

Vulnerability requires web access and password for the pi-hole.

^Thanks for that. I was frantically looking to patch my pihole till I saw this comment.

Everyone else, action item: Make sure your pihole web interface is not public (duh) and that you set a non-trivial password (sorta duh)

How would privilege escalation work in this case?

Regarding the older CVE-2020-8816: The code sent in the request is executed using sudo. From there, the code can use curl/wget to download a script from a specified server, and execute the script as root and take over the device.

For this CVE, here is a description:

https://frichetten.com/blog/cve-2020-11108-pihole-rce/